Re: [Anima] creating iDevID certs with openssl
Robert Moskowitz <rgm-sec@htt-consult.com> Wed, 16 August 2017 17:47 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 894DD126CB6 for <anima@ietfa.amsl.com>; Wed, 16 Aug 2017 10:47:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lHYHkZLheQyU for <anima@ietfa.amsl.com>; Wed, 16 Aug 2017 10:47:01 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [50.253.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6738E1200F3 for <anima@ietf.org>; Wed, 16 Aug 2017 10:47:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 360836219C; Wed, 16 Aug 2017 13:47:00 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id zOn2TtK5aLiF; Wed, 16 Aug 2017 13:46:52 -0400 (EDT)
Received: from lx120e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 93BFB6219B; Wed, 16 Aug 2017 13:46:51 -0400 (EDT)
From: Robert Moskowitz <rgm-sec@htt-consult.com>
To: Kent Watsen <kwatsen@juniper.net>, "anima@ietf.org" <anima@ietf.org>
References: <d64b22cd-807d-2598-7f2d-2ef07534724b@htt-consult.com> <3a5adc64-1737-9ecc-5c13-b310b48c2ba0@htt-consult.com> <31E4D893-7438-4EF4-85DF-4F47D70FF3CF@juniper.net> <7a2bbf4e-e4f1-a0d0-690d-982ea22003bc@htt-consult.com>
Message-ID: <e7df2422-c6ae-3f60-d514-270cb141ff6f@htt-consult.com>
Date: Wed, 16 Aug 2017 13:46:46 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <7a2bbf4e-e4f1-a0d0-690d-982ea22003bc@htt-consult.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/uHcO2huRnjzYaMjqm3Y1DF7eTkg>
Subject: Re: [Anima] creating iDevID certs with openssl
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 17:47:03 -0000
I would love to tackle Ed25519 certs, but that is still in dev in openssl. Also I don't like that they used SHA512, rather than SHAKE128. It is ok for big systems, but not for the little stuff. On 08/16/2017 01:43 PM, Robert Moskowitz wrote: > Kent, > > Thanks for the reply. They don't have it right with: > > [ alt_names ] > otherName = 1.3.6.1.5.5.7.8.4;UTF8:EX320 > > Go to: http://www.htt-consult.com/pki.html > > And see my 802.1AR setup. I am much further along. I got to this > point yesterday. > > There are a number of things you need to match the 1AR profile. I > believe I am making hardwareModuleName per RFC4108. I believe I have > hwType right as an OID. The thing is what to use for hwSerialNum. > > There are a lot of pieces in the cnf file so I am not posting it here. > > But I am making a CSR with the HMN in it and the intermediate CA is > signing that, making a cert. > > All my certs are ECDSA P-256. I also put the proper 'forever' enddate > value in. > > THe SAN can only be specified within the cnf file, so you need a hack > to add it to the file prior to making the CSR. > > There are a number of 'next steps'. I can develop this for an offline > system on one of my Cubieboard2s running Fedora26 so I could bring it > to Singapore. > > But I would like to put together a group that want to develop this. > There is no interest, but there is help, on the openssl-user list. > > On 08/16/2017 12:43 PM, Kent Watsen wrote: >> Hi Bob, I'm watching this thread with interest. My take on this [1] >> is a little different than yours, but I was just prototyping a rough >> solution, I never took it to completion... [1] >> https://github.com/netconf-wg/zero-touch/blob/master/openssl-test/vendor/idevid-certificate-pki/intermediate-ca/openssl.cnf#L55Kent >> -- Making some progress. On 08/14/2017 01:44 PM, Robert Moskowitz wrote: >>> I have just joined this list. So if this is covered in the archives >>> anywhere, my weak search foo did not uncover it... >>> >>> Has anyone created iDevID certs with openssl including subjectAltName >>> with hardwareModuleName? >>> >>> I have been working on this for a few days and have worked out HOW to >>> even get certs to contain SAN, particularly going the csr route. I >>> have learned on the openssl list that HMN is not directly supported >>> and that you have to use othername. Something like >>> >>> [ req_ext ] >>> subjectAltName = otherName:1.3.6.1.5.5.7.8.4;SEQ:hmodname >>> >>> [ hmodname ] >>> hwType = OID:1.2.3.4 # Whatever OID you want. >>> hwSerialNum = FORMAT:HEX,OCT:01020304 # Some hex >> This produces a subjectAltName content of: >> >> 0:d=0 hl=2 l= 27 cons: SEQUENCE >> 2:d=1 hl=2 l= 25 cons: cont [ 0 ] >> 4:d=2 hl=2 l= 8 prim: OBJECT :1.3.6.1.5.5.7.8.4 >> 14:d=2 hl=2 l= 13 cons: cont [ 0 ] >> 16:d=3 hl=2 l= 11 cons: SEQUENCE >> 18:d=4 hl=2 l= 3 prim: OBJECT :1.2.3.4 >> 23:d=4 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:01020304 >> >> >> I suspect that hwtype is a full vendor OID for registering this device. >> Say my company, HTT Consulting makes sensor widgets. The OID for that >> could be: >> >> 1.3.6.1.4.1.6715.10.1 (where 10 is HTT's devices and 1 is the sensor >> widget). >> >>> But I am not sure what exactly to do with hwType and hwSerialNum >>> >>> Are there any extant examples? >> So googling around for examples and not finding any. But then my search >> foo has always been weak. >> >>> Currently there is no way to feed any SAN value in at the command like >>> 'openssl req'. It has to go into the config file, so once I work out >>> WHAT to but into these fields, I will have to do some kludgly stuff to >>> stuff values into the config then run the command. There are examples >>> of this around for SANs of IP, DNS, etc. >>> >>> BTW, so far I have a simple guide for making a pki of ECDSA certs >>> using openssl. I would be willing to share what I have done todate. >>> The 802.1AR cert section is understandably incomplete... >>> >>> Bob >> _______________________________________________ >> Anima mailing list >> Anima@ietf.org >> https://www.ietf.org/mailman/listinfo/anima >> >> > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima
- [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Kent Watsen
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Kent Watsen
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Michael Richardson
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz
- Re: [Anima] creating iDevID certs with openssl Robert Moskowitz